Search code examples
windowsamazon-web-servicesfile-permissionsnlogtopshelf

Topshelf, NLog and File Permissions


I have a Windows service application that uses the TopShelf library and I'm installing it in AWS during the cfn-init using the handy command line features that you get with topshelf.

C:\handy_service\> HandyService.exe install start

This basically installs the service in the registry and then calls sc start, but it's quite useful because it checks the service name matches what you expect and it allows you to configure the user that service will run as using the nice fluent API.

The installer code also writes some diagnostic logs to NLog if the service is configured to use NLog in general.

The problem is this: the installer runs as the default local administrator account that the AMI starts with and the NLog file gets created by this user. When the service starts up as the Network Service user, it doesn't have permission to write to the NLog log file.

How can I get my service to write to the log file? I've thought about setting the permissions programmatically but it looks nasty and I'd have to determine the log file name as this is generated dynamically based on the ec2 instance id. Also, it's not entirely obvious at what point the log file is first created. The easiest hack that I might go with is having two NLog.configs and switching one out at the end of the install after the logger is flushed. But because there is some overlap in time between the service starting and the installer exiting, I expect I'll lose a few lines of logging here.

Any clean suggestions would be greatly appreciated!


Solution

  • In the end I went with setting the permissions on the logs folder at deploy time. It's actually pretty straightforward with icacls, only a couple of lines in rake for instance, assuming you know where your logs folder is going to be:

    sh %{icacls "#{logs_dir}" /grant "#{username}":(OI)(W)}
    

    Not calling UseNLog() in the service config would also be a simple option, any install-time errors would go in the Windows event log in that case.